Permalink
334 lines (284 sloc) 20.9 KB

1.9.0 (in-progress)

  • Documentation Updates

  • Version Updates

  • Sonar / Coverity Cleanup

  • Breaking changes

    • Requires Java 8+
    • Dropped Tomcat 6 and Spring 3 modules
    • Increased Examples to servlet 3.0
    • Replaced guava with caffeine for caching
    • All remainder guava usage uses standard java routines
  • Changes

1.8.3 (2/6/2017)

**** Mainly backporting from 1.9.x branch and this release specifically was to add third party licenses ****

  • Documentation updates
  • Version Updates
  • Sonar / Coverity Cleanup
  • Added third party license files to distribution to make it easier for those requiring license certification within our distro.

1.8.2 (12/31/2016)

  • Lots of documentation updates from the community (many thanks!)
  • Moved to 'Waffle' organization with removal of 'dblock' from groupId and documentation
  • #338: Don't allow SPNEGO NegTokenArg to start re-authentication process @AriSuutariST.
  • #342: Add tomcat 8.5.x support @hazendaz.
  • #357: Fix security token handle leak in Tomcat. Issue #355
  • #382: Bug fix in DelegatingNegotiateSecurityFilter when no custom authentication provider was declared [@Unaor]
  • #397: WindowsLoginModule missing roles in Principal. @devnullpointer
  • #454: Tomcat 9.0.0.M15+ support for Realm class simple name change for logging. @hazendaz

1.8.1 (2/10/16)

  • Official notification dropping long-term support on 1.7.x branch
  • Rework .net build to be mostly automatic using nuget
  • Change .net target to more modern .net 4.0 framework
  • #309: Added impersonation support on spring-security filters @sergey-podolsky.
  • #296: Added Tomcat 9 support.
  • #268: Cannot log in automatically on machine where Tomcat service is running
  • #274: Update WindowsSecurityContextImpl.java to handle SEC_E_BUFFER_TOO_SMALL
  • #128: Update WindowsSecurityContext.cs to handle SEC_E_BUFFER_TOO_SMALL
  • #310: Add equals and hashCode to WindowsPrincipal

1.8.0 (09/10/15)

*** Java Requirement now 1.7 ***

  • Introduction of diamond operator and try with resources firmly requiring java 7.
  • #187: Removed Spring 2 and Tomcat 5 support.
  • #226: Moving base to java 1.7
  • #239: Fix handle leak in LSASS.exe process.

1.7.5 (11/7/15)

  • Backport #239: Fix handle leak in LSASS.exe process.

1.7.4 (05/12/15)

  • #188: Added support for service provider to authorize the principal.

  • #192: Fix: Tomcat 8 MixedAuthenticator uses LoginConfig out of context.

  • #206: Fix issue #203 ** Tomcat negotiate filters reporting Win32Error 500 status error instead of 401. ** Related to issue #107

  • #207: Further refinement of test dependencies and now requires java 7 to compile library. ** At this point, still supports java 6 runtimes.

  • Github gh-pages now built via mvn site plugin.

  • We use sfl4j, so use jcl-over-slf4j instead of allowing spring to bring in commons-logging.

1.7.3 (12/21/2014)

  • Corrected javadoc issues in shiro package to ensure javadocs build.
  • Make some package methods private in shiro package.

1.7.2 (Not Released)

  • Ensure waffle dependencies referenced in poms are against vulnerability free releases.
  • Rework java build to conform with maven standard practices.
  • Enhance distribution to build zip thus allowing maven central deployment.
  • Discovered issues with classpath / javadoc, release aborted upon push to maven central.

Developer note

  • #164: Added unit test in waffle-tests using catch-exception test library to verify the condition caught is actually expected.

1.7.1 (11/30/2014 - waffle-jna only)

  • #164: Added try/catch to authorization header base64 decode in cases of invalid or unsupported authentication header. ** Throws runtimeException "Invalid authorization header."
  • #168: Exception stack trace on invalid credentials. ** Change in waffle 1.7 per sonar to trap only thrown errors resulted in a regression where user enters invalid creditionals and expected behaviour is to ask again but instead a stack trace was thrown. Special thanks to @gstanchev for finding and helping resolve this issue.
  • Drop legacy base64 usage previously deprecated. We use guava for this now.
  • Small number of array object creations cleanup.

1.7 (9/25/2014)

Notable Feature Changes

  • Full Mavenized Build
  • All demos now mavenized
  • Support for Tomcat 8
  • Support for Spring 4 & Spring-security 4
  • Enhanced logging
  • Tomcat Protocol parameter for valves to allow default Negotiate / NTLM or selective setup
  • Restructured project for full maven support and clearer intent
  • Upgraded .NET build to Visual Studio 10, .NET Framework 4
  • Enforce Java code formatting (space based) through maven plugin
  • Enforce License information in Java code through maven plugin
  • Deprecated Base64 internal usage in favor of using Guava BaseEncoding Base64.
  • Mocking Testing of third party implementations for cleaner intent.

Changes

  • #140: Mocking Unit Tests - @hazendaz.
    • Mock implementations used in unit tests for various features such as tomcat/shiro in order to make it clear to intention of waffle tests.
  • #136: Enable user logging when using filter @tbenbrahim.
    • Added toString to WindowsPrincipal to enable logging of authenticated user when using the servlet filter, using the waffle.servlet.NegotiateSecurityFilter.PRINCIPAL session attribute.
  • #120: Application Security License - @hazendaz.
    • Using License Maven Plugin to ensure license is up to date on java files
    • All donated code to library now has proper license
    • License controlled through license.txt under waffle-parent
  • #119: Format Enahancement - @hazendaz.
    • Using Java Format Maven Plugin to ensure formatting of code consistent
    • Now using spaces rather than tabs.
  • #108: Spring 4 - @hazendaz.
    • Spring 4 / Spring Security 4 support
    • Early release [no changes over spring 3]
  • #101: Enhance Logging - @hazendaz.
    • Use full feature {} of logging and stop concatenating strings.
  • #97: Added protocols parameter on Tomcat valves - @hasalex.
    • Attribute protocols on the valve in order to limit the authentication to one or some protocols
  • #93: Updated Documentation - @hazendaz.
    • First cut at updating documentation to reflect maven.
  • #92: Pom Corrections - @hazendaz.
    • Oops! #91 attempted to remove .settings but actually added them back, removing again.
  • #91: Drop eclipse settings - @ryantxu.
    • More maven cleanup work, removed .settings, .classpath, and .project files from build as maven creates these.
    • Additional benefit here is that this is easily built using many various IDE's tanks to maven.
  • #90: Pom Corrections - @hazendaz.
    • Corrected missed change #87 on rename of build in multi module pom
    • Fixed issue with incorrect objenesis version being picked up by maven resolution
    • Reworked parent POM for use with users without their own nexus repo
    • Fixed to work properly with GIT so jars show all necessary manifest information
  • #88: Full Mavenization - Part 2 - @hazendaz.
    • Using standard maven layout now.
    • Fixed one test case that was case sensitive
    • Added default to case statements with break.
  • #87: Renamed 'demo' & 'build' - @hazendaz.
    • Renamed these modules to reflect their true nature
  • #86: Full Mavenization - Part 1 - @hazendaz.
    • Building on maven beginnings of project for making this a maven only build
    • Removed ant/ivy configuration
    • Known issue in built files due to not using standard maven layout, expect to fix later
    • Cleanup git ignores for removed ivy items
    • Corrected issue with mockito pulling in old hamcrest
    • Reworked demo to be more maven like in layout
    • Added more settings for tomcat8
    • Jetty skips javadocs due to no public classes
  • #84: Added a better embedded Jetty example - @juliangamble.
    • See 'Adding a better embedded Jetty example PR #81' for more details
  • #83: Added fluido skin - @hazendaz.
    • Provides maven site generation using twitter bootstrap for nice look and feel
  • #82: Tomcat 8 Support (BETA) - @hazendaz.
    • BETA Tomcat 8 support
  • #78: POM Updates - @hazendaz.
    • Now supporting tomcat 6.0.39 / 7.0.52
    • Updated versions throughout
  • #76: Add SPNEGO NegTokenArg support - @AriSuutariST.
  • Fixed WindowsComputerImpl.Groups returning an empty local groups set - @dblock.
  • #114: Fixed Waffle.Windows.AuthProvider.WindowsSecurityContext and WindowsAuthProviderImpl to loop and allocate memory on SEC_E_INSUFFICIENT_MEMORY beyond Secur32.MAX_TOKEN_SIZE in InitializeSecurityContext and AcceptSecurityContext - @kentcb.

1.6 (12/24/2013)

Features

Bugs

  • #58: Fix: error in InitializeSecurityContext: The buffers supplied to a function was too small. when a user belongs to many groups - @dblock.

Development

  • #42: Replaced GroboUtils with ContiPerf in the Java load tests to remove use of the "Opensymphony Release" repository - @davidmc24.
  • #42: Enhanced the Ant build to allow specifying -DskipTests=true to skip running the tests to allow compilation on non-Windows platforms - @davidmc24.
  • #42: Extracted a new "waffle-tests" component out of the existing "waffle-jna" component to remove compile-scope dependency on mockito - @davidmc24.
  • #42: Added Maven POMs for the Java components - @davidmc24.
  • Added ContiPerf 2.2.0.
  • #44: Add pom.xml files to create a .war and deploy demo filter web app to a local Tomcat server - @bhamail.

1.5 (10/19/2012)

This release unifies support for various Java platforms within a single package and significantly improves development infrastructure.

Features

  • Waffle now requires Java 1.6 or newer, uses generics where possible - @hazendaz.
  • Waffle now requires JNA 3.5.0 (currently private build) - @dblock.
  • Native Tomcat and Spring support has been split out of the waffle-jna.jar - @dblock.
    • waffle-spring-security2.jar: Spring-security 2.
    • waffle-spring-security3.jar: Spring-security 3.
    • waffle-tomcat-5.jar : Tomcat 5 valves.
    • waffle-tomcat-6.jar : Tomcat 6 valves.
    • waffle-tomcat-7.jar : Tomcat 7 valves.
  • Rewritten documentation in Markdown, the CHM documentation has been removed - @dblock.
  • #3: Replaced commons-logging with slf4j and logback - @hazendaz.
    • slf4j 1.7.2
    • logback 1.0.7
    • Use jcl over slf4j for Spring, as it uses commons-logging.
  • Jacob-based COM interfaces and implementation have been removed - @dblock.
  • #1: Adjusted logging from info to debug to reduce noise level - @mcfly83.
  • #17: JAR manifest information includes specification and implementation details, such as GIT revision - @ryantxu.
  • #23 Added waffle.util.WaffleInfo which collects system information useful for debugging - @ryantxu.
  • #28 Added waffle-jetty project. This lets developers run Waffle directly within the IDE - @ryantxu.
  • #33: Added support for servlet3 programmatic login - @amergey.
  • Upgraded Wix to version 3.7 - @dblock.

Interface Changes

  • Waffle boolean getters now use is* java standard - @hazendaz.
    • getContinue is now isContinue
    • getDebug is now isDebug
    • getAllowGuestLogin is now isAllowGuestLogin
    • getImpersonate is now isImpersonate
  • Fixed case of RevertToSelf, now revertToSelf - @hazendaz.
  • All array getters now return empty arrays rather than null - @hazendaz.

Development

  • Upgraded thirdparty dependencies, using Ivy - @hazendaz.
    • tomcat 5.5.36
    • tomcat 6.0.35
    • tomcat 7.0.32
    • guava 13.0.1
    • spring 3.1.2
    • spring 2.5.6.SEC03
    • spring-security 2.0.7
    • spring-security 3.1.2
    • junit 4.10
    • emma 2.1.5320
  • Reworked development version to use ivy - @hazendaz.
    • Removed all third party included jars.
    • Retained tomcat 5.5.36 due to ivy/maven only having 5.5.23 available.
  • #24: Use mockito for waffle-mock - @ryantxu.

1.4 (6/21/2011)

First release off Github.

Features

  • #8559: Added impersonation support on the Servlet security filter.
  • #9353: Allow customization of GrantedAuthority string in Spring Security filter and authentication manager.
  • #8493: Intermediate security contexts of unfinished Negotiate protocol instances expire after ten seconds.
  • #9854: Added support for query strings with multiple parameters to MixedAuthenticator.
  • #243081: Filter providers and protocols specified in configuration can be separated by any type of space.

Misc

  • #11052: Upgraded thirdparty JNA to 3.3.0.
  • #11053: Upgraded thirdparty WIX to 3.5.
  • #9552: Upgraded thirdparty Tomcat to 6.0.29.
  • #8493: Using Guava (Google collections), which requires a new guava-r07.jar in deployment of Java filters and applications.
  • #9456: Added Serializable to waffle.jaas.RolePrincipal, UserPrincipal, waffle.servlet.WindowsPrincipal and waffle.windows.Auth.
  • #9657: Added authProvider option to the NegotiateSecurityFilter filter options.
  • #9895: Upgraded Jacob to 1.15M4 and JacobGen to 0.10.
  • #10031: Removed waffle.windows.auth.IWindowsSecurityContext null initialize and added targetName to the remaining initialize interface method.

Bugs

  • #9274: Guest WindowsIdentity leaks a handle when guest login disabled.
  • #224546: Unable to deploy other Spring-security providers alongside Waffle. Spring Security Filter will now fall through to the remaining filter chain for unsupported security protocols.
  • #8965: Anonymous login is not correctly recognized as guest on Windows 7.
  • #229310: NegotiateRequestWrapper.isUserInRole(SID) broken. Specifying roleFormat as both and calling isUserInRole with a SID value always incorrectly returns false.
  • #9615: waffle-form, waffle-mixed and waffle-form samples fail with 404 instead of 401; html files not packaged in the distribution.
  • #9889: WindowsComputerImpl sometimes returned wrong number of groups.
  • #9552: NegotiateSecurityFilterProvider leaks a handle with new logons.

1.3 (7/21/2010)

Features

  • Ported Waffle to native Java with JNA 3.2.7, added waffle-jna.jar.
  • Added a Negotiate (NTLM and Kerberos) Tomcat authenticator, waffle.apache.NegotiateAuthenticator in waffle-jna.jar.
  • Added a JAAS Windows Login module, waffle.jaas.WindowsLoginModule in waffle-jna.jar.
  • Added a Mixed (Negotiate and Form-Based) Tomcat security authenticator, waffle.apache.MixedAuthenticator in waffle-jna.jar.
  • Added a Negotiate (NTLM and Kerberos) and Basic Servlet security filter, waffle.servlet.NegotiateSecurityFilter in waffle-jna.jar. Works with any servlet container, including Tomcat, Jetty and Websphere.
  • Added a Spring-Security Negotiate (NTLM and Kerberos) and Basic Filter, waffle.spring.NegotiateSecurityFilter in waffle-jna.jar.
  • Added a Spring-Security Authentication Manager, waffle.spring.WindowsAuthenticationManager in waffle-jna.jar.
  • Added IWindowsIdentity.IsGuest.

Misc

  • Project upgraded to Visual Studio 2008.

1.2 (3/1/2010)

Initial open-source release under the Eclipse Public License.